Security Basics mailing list archives
Re: why most sql injection is not occurred at mysql?
From: Francois Larouche <francois.larouche-ml () sqlpowerinjector com>
Date: Tue, 23 Oct 2007 10:14:17 -0700
Annyo MontyRee, Funny you mention this because in my experience I found more sql injections in mysql websites. But as you mention it's not related to the database but how it has been implemented inside the web application or/and inside the stored proc. As for MySQL, since there were no stored proc before version 5.0 it removes that threat inside the stored proc in the older versions. However, the thing is, most of developers rely on the magic quotes function that might seem to reduce the problem in MySQL but is still there when an integer parameter is used. The bottom line is they might just be harder to find or require more energy to find them. Here what I noticed with experience, depending of the languages used for the web development the chances were higher to get SQL injection if it was ASP, PHP or Perl. Why? Because the learning curve for those languages is small and unfortunately most of the examples used for database interaction (SELECT, UPDATE, etc...) in books and websites use string concatenation for simplicity and space limitation. Also, PHP didn't have any system of prepared statement until (relatively) recently, so by design there was blind sql injection. Now, if you ask me if in general a SQL injection is more dangerous in MS-SQL or Oracle than MySQL. I'll say most definitely. MS-SQL and Oracle are closer to the OS and have more powerful stored procs. But again, MySQL has enough harmful functions to create as much damage than any other DBMS and it takes only one good vulnerability to own the system... My 2 cents, Cheers Francois
Hello, all. A I know, sql injection itself has not relation with DataBase. Surely I have seen sql injection is occurred at mysql. but in my short experience, most sql injection is occurred at ms-sql or oracle based not mysql. I don't know why. Any idea? Thanks for your help in advance. _________________________________________________________________ 나의 글로벌 인맥, Windows Live Space! http://www.spaces.live.com
Current thread:
- why most sql injection is not occurred at mysql? MontyRee (Oct 23)
- Re: why most sql injection is not occurred at mysql? Brian Daniel Beck (Oct 23)
- Re: why most sql injection is not occurred at mysql? Francois Larouche (Oct 23)
- Re: why most sql injection is not occurred at mysql? jam (Oct 23)
- Re: why most sql injection is not occurred at mysql? Jedrzej Majko (Oct 25)
- Re: why most sql injection is not occurred at mysql? jam (Oct 23)